<?php
require_once("DB_Config.php");
require_once("func.php");


// username and password sent from form 
$myusername=$_POST['username']; 
$mypassword=$_POST['password']; 

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername); //Remove's Slashes
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername); //Removes password='' OR ''=''
$mypassword = mysql_real_escape_string($mypassword);
$mypassword = md5($mypassword);

//PDO CONNECTION

$db_connect = DB_Connection::getInstance();
$sql="SELECT * FROM members WHERE username=? and password=?";
$stmt = $db_connect->db_conn->prepare($sql);
$param=array($myusername,$mypassword);


if ($stmt->execute($param)){
	$row = $stmt->fetchAll(PDO::FETCH_ASSOC);
	
	if(count($row) != 0){
		$p=$row[0]['priv'];
	
	}
	
	else{
		header("location:index.php");	
	}

	$count=count($row);	
	if($count==1){
		session_start_ifRequired();
		$_SESSION['valid']=1;
		$_SESSION['myusername']=$myusername; 
		//$_SESSION['mypassword']=$mypassword; 
		$_SESSION['p']=$p;
		
 		if($_SESSION['p'] == 'mng') 
 		header("location:admin.php"); 
 		else
		header("location:client.php");
	}

 }
 else{

 	header("location:index.php");
 }


//ob_end_flush();


?>
